Windows - Forensics - Get Automox Agent Log (Amagent.log)

What the Automox Agent Log retriever does

This Automox Worklet™ retrieves the contents of the amagent.log file from C:\ProgramData\amagent\amagent.log and outputs the results to your Automox Activity Log. The amagent.log contains diagnostic and operational information about the Automox Agent, making it essential for troubleshooting.

The Worklet supports multiple retrieval modes. You can retrieve the entire log file, get only the last X number of entries, filter entries by a specific date, or retrieve only the entries from a specific date and limit the result to the last X entries. This flexibility lets you tailor the diagnostic data collection to your troubleshooting needs.

Activity Log output is limited to 1 MB per execution. If the amagent.log file exceeds this size, only the first 1 MB will be displayed. By using the line count parameters, you can retrieve smaller, more focused subsets of the log without hitting this limitation.

Why retrieve Automox Agent logs from your endpoints

When Automox Agent operations fail or Worklets do not execute as expected, you cannot troubleshoot without access to the amagent.log file. Without remote log retrieval, IT teams must log into each endpoint manually or request users to locate and send log files, creating delays and productivity loss. Agent communication failures, policy execution errors, and authentication issues remain mysterious black boxes when diagnostic logs are inaccessible.

Rather than requiring remote desktop access or on-site visits to view logs, this Worklet brings the diagnostic data directly to your Automox console. This is especially valuable for distributed teams, remote endpoints, and when you need to review agent activity across multiple machines simultaneously.

Collecting these logs proactively also helps you identify patterns in agent behavior before they become critical issues. Regular log reviews can reveal when an agent is struggling with network connectivity, resource constraints, or conflicting software.

How Automox Agent log retrieval works

1. Evaluation phase: The Worklet checks whether the amagent.log file exists at C:\ProgramData\amagent\amagent.log. If the file is found, the endpoint is flagged as eligible for remediation. If the file does not exist, the Worklet run ends without taking further action.

2. Remediation phase: The Worklet executes the retrieval function using the specified mode. By default, it retrieves the last 100 log entries. You can modify the remediation script to use different modes: retrieve the entire log, filter by date, or apply both date filtering and line count limits. The retrieved log contents are written to the Activity Log output.

Automox Agent log retrieval requirements

• Windows 10, Windows 11, or Windows Server 2016 or later

• PowerShell version 4 or higher

• Automox Agent installed and operational on the endpoint

• amagent.log file present at C:\ProgramData\amagent\amagent.log

• Sufficient permissions to read the amagent.log file (typically available to local administrators)

Expected log output after retrieval

After the Worklet runs successfully, the specified portion of the amagent.log file will appear in the Activity Log of the target endpoint. Each log entry includes a timestamp, the Automox Agent action or event, and any associated details. You will be able to review this data immediately to diagnose issues with agent behavior, policy execution, or communication failures.

Verification and troubleshooting: Review the Activity Log output for error messages, failed policy executions, or communication failures. Look for patterns such as repeated connection errors, authentication failures, or Worklet execution timeouts. Cross-reference timestamps with known issues or system events. If the amagent.log file does not exist, the Worklet exits during evaluation without output. When running on a schedule, this Worklet produces log output repeatedly, so use it for targeted troubleshooting rather than continuous monitoring.

How to validate get automox agent log (amagent.log) changes

1. Run this Worklet on a pilot Windows endpoint and review evaluation output for get automox agent log (amagent.log).

2. Confirm Automox activity logs show successful completion and exit code 0.

3. Verify endpoint state using checks aligned to evaluation script logic, such as Files-Required, By-Automox, LocationofFilesRequiredByAutomox-Windows.

4. Validate remediation effects from script operations such as Get-AmagentLog, Files-Required, By-Automox, then rerun evaluation for compliance.